Visa Releases Security Advice for Payment Application Vendors

Visa teamed with the SANS Institute to offer best practices for security for payment application vendors. The advice is meant to complement the Payment Application Data Security Standard.

Visa has released a set of best practices for payment application vendors to
help ensure security beyond the requirements of industry compliance.

The document comes roughly two weeks after the PCI (Payment Card Industry)
Security Standards Council outlined
proposed changes to payment card industry regulations. According to Visa,
which developed
the guidance with the help of the SANS Institute, the document is meant to
compliment the PCI PA-DSS (Payment Application Data Security Standard).

"The PA-DSS provides guidance for
developing secure software, while Visa's Best Practices for Payment Application
Companies represents a natural companion, providing guidance on how to securely
install that piece of software," Eduardo Perez, head of global payment system security
at Visa, said in a statement. "We saw from data-compromise investigations that
while an application may be secure and comply with the PA-DSS,
implementation and management missteps can create vulnerabilities."
The best practices include conducting application vulnerability tests and code reviews
on new payment application versions prior to sale or distribution and adhering to
industry guidelines for data field encryption and tokenization across payment
applications using these technologies.
"It is in the best interest for the payment application provider to
proactively adopt practices, such as these, so more often than not, merchants
will find that these best practices are widely used and vendors are already
doing these things," said Eric Bushman, vice president of solutions engineering
at Paymetric. "No single requirement outlined in this document stands out as
one that merchants would have challenges ensuring their vendor is adhering to. But
that doesn't mean that they should assume the payment application provider is,
in fact, doing these things."

One of the toughest
challenges, especially for large merchants, is the implementation of PA-DSS-certified
applications, said Keith Swiat, director of PA-DSS
at Trustwave.
"While small merchants can be more agile in this area, merchants with
thousands of retail outlets can run into serious time and resource issues
trying to meet this requirement," he said. "With the increased exposure to the
PCI-DSS by merchants and application
vendors, the vast majority are using these best practices, successful or not,
in some form. The most effective way to propagate this information will be for
merchants and application vendors to maintain a good relationship with their
banks to keep up-to-date on any new developments that the card brands may push
down."